raise_for_status leaks HTTP basic auth #5021

calve · 2019-03-14T11:46:50Z

Calling raise_for_status() output (leaks) the HTTP basic auth password when raising an exception.

Expected Result

>>> import requests
>>> r = requests.get("http://user:somepassw@httpbin.org/status/401")
>>> r.raise_for_status()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://user:<redacted>@httpbin.org/status/401

Actual Result

Here we can see the HTTP password in the resulting exception (somepassw in our case)

>>> import requests
>>> r = requests.get("http://user:somepassw@httpbin.org/status/401")
>>> r.raise_for_status()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://user:somepassw@httpbin.org/status/401

System Information

$ python -m requests.help

{
  "chardet": {
    "version": "3.0.4"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "2.8"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.7.2"
  },
  "platform": {
    "release": "4.20.8-arch1-1-ARCH",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.21.0"
  },
  "system_ssl": {
    "version": "1010101f"
  },
  "urllib3": {
    "version": "1.24.1"
  },
  "using_pyopenssl": false
}

The text was updated successfully, but these errors were encountered:

calve · 2019-03-15T11:01:02Z

For future reader, one way to fix this behaviour is to pass the basic auth by kwargs;

>>> import requests
>>> r = requests.get("http://httpbin.org/status/401", auth=("user", "passwd"))
>>> r.raise_for_status()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://httpbin.org/status/401

Still, seeing that python-requests send a Authorization header, it looks like we could do something for the original leak, as requests knows which parts of the URL is the authentification

>>> r = requests.get("http://user:password@httpbin.org/status/401")
>>> r.raise_for_status()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://user:password@httpbin.org/status/401
>>> r.request.headers
{'User-Agent': 'python-requests/2.21.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Authorization': 'Basic dXNlcjpwYXNzd29yZA=='}

Overv linked a pull request Oct 2, 2019 that will close this issue

Change raise_for_status message to hide password in URL #5221

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

raise_for_status leaks HTTP basic auth #5021

raise_for_status leaks HTTP basic auth #5021

calve commented Mar 14, 2019

calve commented Mar 15, 2019

raise_for_status leaks HTTP basic auth #5021

raise_for_status leaks HTTP basic auth #5021

Comments

calve commented Mar 14, 2019

Expected Result

Actual Result

System Information

calve commented Mar 15, 2019